Security as a Service Working Group

Current Initiatives

No open initiatives at this time.

Introduction to the Security as a Service Working Group

The mission statement of the Cloud Security Alliance is “. . . to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” In order to provide greater focus on the second part of our mission statement, the CSA is embarking on a new research project to provide greater clarity on the area of Security as a Service.

Numerous security vendors are now leveraging cloud based models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. Regardless of the motivations for offering such services, consumers are now faced with evaluating security solutions which do not run on premises. Consumers need to understand the unique nature of cloud delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their needs.

The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices. Other research purposes will be identified by the working group.

The Security as a Service Implementation Guidance is made possible by the following sponsors:

CSA today announced that its Security as a Service (SecaaS) Working Group has completed its peer review process and has published implementation guidance documents expanding upon their “Defined Categories of Service” document that was first made available in August of 2011.

CSA announces the availability of several new opportunities to sponsor key research initiatives. Your support helps us maintain our aggressive research schedule and accelerate responsible adoption of cloud computing.

The Security as a Service (SecaaS) working group would like to invite you to review and comment on the Security as a Service “Defined Categories of Service” whitepaper. Your expertise will ensure that the white paper has accurate content.

The CSA Security as a Service (SecaaS) Working Group will have their first group call on July 5th. The purpose of their research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.

Thank you to those who have contributed to the “Categories of Service” section of our working group proposal. We are still seeking input to all categories. For those who have recently expressed interest in getting involved, send me an email at [email protected] (Subject line: SecaaS Categories).

When using the cloud for operational processes and/or production systems, an organization’s BC/DR requirements must be included in their procurement, planning, design, management, and monitoring of their cloud environments and cloud service providers.

Encryption is a primary data (and application) protection technique. For encryption to be useful, encryption keys must be properly managed and protected. This document covers both the encryption and key management topics.

Because of the limited market maturity and lack of widely accepted best practices, this document provides implementation guidelines for cloud-based intrusion management service of multiple flavors—in the cloud, through the cloud, or from the cloud—focusing on the basic tenets of service and architecture rather than solutions.

There are many choices for an assessment framework standard and there is no “one size fits all” solution for security assessments. One could reasonably expect that as cloud technology and governance evolves, a much smaller subset will emerge with a cloud focus.

Due to its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.

The vendor and academic community have come together to form a set of solutions called Security as a Service. This document specifically addresses one element focused on Web Security as a Service (Web SecaaS).

DLP must be considered an essential element for achieving an effective information security strategy for protecting data as it moves to, resides in and departs from the cloud. DLP has two facets: one as viewed from the owner’s perspective and one as viewed from the custodian’s perspective.

In a cloud environment, a major part of network security is likely to be provided by virtual security devices and services, alongside traditional physical network devices. Tight integration with the underlying cloud software layer to ensure full visibility of all traffic on the virtual network layer is important.

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of SecaaS.

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

This website uses cookies to improve functionality and performance. If you continue browsing the site, you are giving implied consent to the use of cookies on this website. See our Cookie Policy for details.